0 Replies - 5949 Views - Last Post: 01 January 2014 - 02:38 PM

[Link] Update Vulnerability In Third Party SDK For Android Platform

Posted 01 January 2014 - 02:38 PM

For those who make money off advertising in their Android apps:

Quote

The framework is called HomeBase SDK (software development kit) and is developed by Widdit, based in Ramat Gan, Israel. It allows Android developers to monetize their apps by displaying ads and custom content on the phone's lock screen...

Since the communication with the update server is done via plain HTTP with no SSL encryption, an attacker could intercept the application's request as it travels over an insecure wireless network or a compromised network gateway and serve back a malicious JAR file, according to the Bitdefender researchers.

In addition, the authenticity of the downloaded file is not verified, so the host app has no way of knowing whether the JAR file actually came from Widdit or not, they said.